📱

Generate TOTP Secret

Generate TOTP secrets with QR codes for two-factor authentication setup.

GET 1 credit /v1/auth/totp-generate

curl "https://auth.toolkitapi.io/v1/auth/totp-generate?issuer=MyApp&[email protected]&digits=6&period=30" \
  -H "Authorization: Bearer YOUR_API_KEY"

import httpx

resp = httpx.get(
    "https://auth.toolkitapi.io/v1/auth/totp-generate?issuer=MyApp&[email protected]&digits=6&period=30",
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/totp-generate?issuer=MyApp&[email protected]&digits=6&period=30", {
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "secret": "JBSWY3DPEHPK3PXP",
  "uri": "otpauth://totp/MyApp:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=MyApp&digits=6&period=30&algorithm=SHA1",
  "qr_code": "data:image/png;base64,iVBORw0KGgo...",
  "current_code": "482193"
}

Try It Live

Description

Generate TOTP secrets with QR codes for two-factor authentication setup.

How to Use

1

1. Set `issuer` to your application or service name and `account_name` to the user's identifier (email, username).

2

2. Optionally customize `digits` (6 or 8), `period` (10–120 seconds), and `algorithm` (SHA1, SHA256, SHA512).

3

3. Send a GET request. Store the returned `secret` securely in your database associated with the user.

4

4. Display the `qr_code` (a data URI PNG image) to the user for scanning with their authenticator app. Alternatively, show the `secret` for manual entry.

About This Tool

The Generate TOTP Secret endpoint creates a new shared secret for Time-based One-Time Password (TOTP) authentication, as defined in RFC 6238. It returns the Base32-encoded secret, an `otpauth://` URI for authenticator app registration, a QR code image for easy scanning, and the current TOTP code for immediate verification.

TOTP is the standard behind two-factor authentication (2FA) apps like Google Authenticator, Authy, and 1Password. The generated secret and QR code allow users to add your service to their authenticator app in seconds.

You can customize the issuer name, account identifier, number of digits (6 or 8), time period, and HMAC algorithm to match your security requirements.

Why Use This Tool

2FA enrollment — Set up two-factor authentication for user accounts
Service-to-service TOTP — Generate TOTP secrets for automated systems
Backup code generation — Use the `current_code` for immediate verification during setup
Multi-device registration — Generate QR codes for enrolling multiple authenticator apps
Security key provisioning — Provision TOTP secrets for hardware security tokens

Frequently Asked Questions

Which algorithm should I use?

SHA1 is the most widely supported and is the default for Google Authenticator and most TOTP apps. SHA256 and SHA512 offer stronger security but may not be supported by all authenticator apps.

Why is the default period 30 seconds?

30 seconds is the standard TOTP time step defined in RFC 6238 and used by virtually all authenticator apps. Shorter periods improve security but may frustrate users. Longer periods increase the window of vulnerability.

How should I store the secret?

Store the Base32-encoded secret encrypted in your database, associated with the user account. Never expose it after initial enrollment — the QR code display should be a one-time setup step.

Can users scan the QR code with any authenticator app?

Yes. The `otpauth://` URI format is a standard supported by Google Authenticator, Authy, 1Password, Microsoft Authenticator, and most TOTP-compatible apps.

Start using Generate TOTP Secret now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs